Current revision

Interfaces provide access to a module’s policy resources (i.e., to its
privately declared types and attributes). All domains
needing a particular access will use the same interface;
therefore, the policy rules required for the access will
be consistent across all users of the interface. Thus
policy changes for access to a type require only a
change in one place, rather than requiring changes to all
the modules that use the type as is common in the sample policy.

For improved clarity, interfaces follow clear naming
conventions. In particular, the module name, or abbreviation,
is prefixed to the interface name. This allows a
policy writer to look a policy and easily see where all
of the interface calls are. In addition, consistent verbs
are used to describe the access, such as read, write, and
delete.

Each interface contains two parts, the dependencies and
the access. The dependencies are contained in a
gen_require() macro. This macro contains the statements
that would be placed in a require block for loadable modules.
It lists all of the types and attributes used
by the interface. If an object class for a user space object
manager is used, such as DBUS or NSCD, the object
class and required permissions must also be listed.